From b49941c9b872c22fdb4baf8c4922f1cf1ed13131 Mon Sep 17 00:00:00 2001
From: Tim Burke <tim.burke@gmail.com>
Date: Wed, 19 Feb 2025 16:54:32 -0800
Subject: [PATCH] s3api: Simplify HashingInput signature

It's always called with sha256 and raises sha256-specific errors;
we don't need to pretend to support arbitrary hashes.

Change-Id: Icff79ded067084249080e3e6f555429261eb0af0
---
 swift/common/middleware/s3api/s3request.py    |  7 +++----
 .../common/middleware/s3api/test_s3request.py | 19 +++++++------------
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/swift/common/middleware/s3api/s3request.py b/swift/common/middleware/s3api/s3request.py
index c0ec725d14..f14e0a147a 100644
--- a/swift/common/middleware/s3api/s3request.py
+++ b/swift/common/middleware/s3api/s3request.py
@@ -135,13 +135,13 @@ class S3InputSHA256Mismatch(BaseException):
 
 class HashingInput(object):
     """
-    wsgi.input wrapper to verify the hash of the input as it's read.
+    wsgi.input wrapper to verify the SHA256 of the input as it's read.
     """
 
-    def __init__(self, reader, content_length, hasher, expected_hex_hash):
+    def __init__(self, reader, content_length, expected_hex_hash):
         self._input = reader
         self._to_read = content_length
-        self._hasher = hasher()
+        self._hasher = sha256()
         self._expected = expected_hex_hash
         if content_length == 0 and \
                 self._hasher.hexdigest() != self._expected.lower():
@@ -887,7 +887,6 @@ class S3Request(swob.Request):
             self.environ['wsgi.input'] = HashingInput(
                 self.environ['wsgi.input'],
                 self.content_length,
-                sha256,
                 aws_sha256)
         # If no content-length, either client's trying to do a HTTP chunked
         # transfer, or a HTTP/1.0-style transfer (in which case swift will
diff --git a/test/unit/common/middleware/s3api/test_s3request.py b/test/unit/common/middleware/s3api/test_s3request.py
index 87276ff06a..1c8994274c 100644
--- a/test/unit/common/middleware/s3api/test_s3request.py
+++ b/test/unit/common/middleware/s3api/test_s3request.py
@@ -36,7 +36,6 @@ from swift.common.middleware.s3api.s3response import InvalidArgument, \
     AccessDenied, SignatureDoesNotMatch, RequestTimeTooSkewed, \
     InvalidPartArgument, InvalidPartNumber, InvalidRequest, \
     XAmzContentSHA256Mismatch
-from swift.common.utils import md5
 
 from test.debug_logger import debug_logger
 
@@ -1461,8 +1460,7 @@ class TestHashingInput(S3ApiTestCase):
     def test_good(self):
         raw = b'123456789'
         wrapped = HashingInput(
-            BytesIO(raw), 9, lambda: md5(usedforsecurity=False),
-            md5(raw, usedforsecurity=False).hexdigest())
+            BytesIO(raw), 9, hashlib.sha256(raw).hexdigest())
         self.assertEqual(b'1234', wrapped.read(4))
         self.assertEqual(b'56', wrapped.read(2))
         # trying to read past the end gets us whatever's left
@@ -1475,8 +1473,8 @@ class TestHashingInput(S3ApiTestCase):
         self.assertTrue(wrapped._input.closed)
 
     def test_empty(self):
-        wrapped = HashingInput(BytesIO(b''), 0, hashlib.sha256,
-                               hashlib.sha256(b'').hexdigest())
+        wrapped = HashingInput(
+            BytesIO(b''), 0, hashlib.sha256(b'').hexdigest())
         self.assertEqual(b'', wrapped.read(4))
         self.assertEqual(b'', wrapped.read(2))
 
@@ -1487,8 +1485,7 @@ class TestHashingInput(S3ApiTestCase):
     def test_too_long(self):
         raw = b'123456789'
         wrapped = HashingInput(
-            BytesIO(raw), 8, lambda: md5(usedforsecurity=False),
-            md5(raw, usedforsecurity=False).hexdigest())
+            BytesIO(raw), 8, hashlib.sha256(raw).hexdigest())
         self.assertEqual(b'1234', wrapped.read(4))
         self.assertEqual(b'56', wrapped.read(2))
         # even though the hash matches, there was more data than we expected
@@ -1503,8 +1500,7 @@ class TestHashingInput(S3ApiTestCase):
     def test_too_short(self):
         raw = b'123456789'
         wrapped = HashingInput(
-            BytesIO(raw), 10, lambda: md5(usedforsecurity=False),
-            md5(raw, usedforsecurity=False).hexdigest())
+            BytesIO(raw), 10, hashlib.sha256(raw).hexdigest())
         self.assertEqual(b'1234', wrapped.read(4))
         self.assertEqual(b'56', wrapped.read(2))
         # even though the hash matches, there was more data than we expected
@@ -1515,8 +1511,7 @@ class TestHashingInput(S3ApiTestCase):
     def test_bad_hash(self):
         raw = b'123456789'
         wrapped = HashingInput(
-            BytesIO(raw), 9, hashlib.sha256,
-            md5(raw, usedforsecurity=False).hexdigest())
+            BytesIO(raw), 9, hashlib.sha256().hexdigest())
         self.assertEqual(b'1234', wrapped.read(4))
         self.assertEqual(b'5678', wrapped.read(4))
         with self.assertRaises(S3InputSHA256Mismatch):
@@ -1528,7 +1523,7 @@ class TestHashingInput(S3ApiTestCase):
         self.assertFalse(_input.closed)
         with self.assertRaises(XAmzContentSHA256Mismatch):
             # Don't even get a chance to try to read it
-            HashingInput(_input, 0, hashlib.sha256, 'nope')
+            HashingInput(_input, 0, 'nope')
         self.assertTrue(_input.closed)